Twitter Settles FTC Security Complaint

Twitter and the Federal Trade Commission settle charges that the microblogging service failed to protect user privacy in two cases in 2009.

Twitter and the Federal Trade Commission have reached a settlement
over charges that the microblogging service failed to protect user privacy in
two security incidents last year.
The FTC complaint centered on a January 2009 incident in which an attacker
used an automated password-guessing tool to gain administrative control of
Twitter and reset numerous passwords. The attacker posted
the Twitter passwords on a Website where other people accessed them and
used them to send phony tweets.

The complaint also touched on an incident in April in which a hacker
compromised a Twitter employee's personal e-mail account and found two
passwords similar to the employee's Twitter administrative password stored in
plain text, according to the FTC. The hacker was able to then guess the
employee's Twitter administrative password and reset at least one Twitter user's
password, and had the power to access private user information and tweets for
any Twitter user.

"There were 45 accounts accessed in a January incident and 10 that
April for short periods of time," Alexander Macgillivray, Twitter's
general counsel, wrote June 24 on the Twitter blog. "In the first
incident, unauthorized joke tweets were made from nine accounts and attackers
may have accessed nonpublic information such as e-mail addresses and mobile
phone numbers. In the second, nonpublic information was accessible and at least
one user's password was reset."
According to the FTC, Twitter was vulnerable to the attacks because, "It
failed to take reasonable steps to prevent unauthorized administrative control
of its system, including:

- requiring employees
to use hard-to-guess administrative passwords that are not used for other
programs, websites, or networks;

- prohibiting
employees from storing administrative passwords in plain text within their
personal e-mail accounts;
- suspending or
disabling administrative passwords after a reasonable number of unsuccessful
login attempts;
- providing an
administrative login webpage that is made known only to authorized persons and
is separate from the login page for users;
- enforcing periodic
changes of administrative passwords by, for example, setting them to expire
every 90 days;
- restricting access
to administrative controls to employees whose jobs required it; and
- imposing other
reasonable restrictions on administrative access, such as by restricting access
to specified IP addresses."

"When a company promises consumers that their personal information is
secure, it must live up to that promise," David Vladeck, director of the
FTC's Bureau of Consumer Protection, said in a statement. "Likewise, a
company that allows consumers to designate their information as private must
use reasonable security to uphold such designations. Consumers who use social
networking sites may choose to share some information with others, but they
still have a right to expect that their personal information will be kept
private and secure."
Macgillivray noted that Twitter has "implemented many of the FTC's
suggestions and the agreement formalizes our commitment
to those security practices."
He also said, "Within hours of the January 2009 breach, we closed the security
hole and notified affected account holders." In the second incident, the
hacker's administrative access was removed "within less than 18
minutes of the attack," and once again the victims were notified, he said.
A Twitter spokesperson told eWEEK Twitter is a different company than
it was when the attacks occurred in 2009. At the time of the January incident,
the company had 22 people; in April, it had 40.
"We felt it was important to put the 11-month inquiry behind us ... We
have since implemented a number of industry best practices in attempts to
minimize attacks and dedicated ourselves to building a world-class Trust &
Safety team that is one of our largest organizations in our now 200 person-plus
company," the spokesperson said.